In the digital age, emails have become an integral part of our daily lives. Your email address is usually the first that is asked when creating an online account. It's a means of communication and authorization, a versatile tool everyone has used since the inception of the Internet.
If your email search hits all of the datapoints that email lookup techniques have to offer, you will find the full name, social media profiles, associated companies, home address, phone numbers, and other personal information. Getting that many results is an optimistic scenario, as some emails are burners or aren't active. Whatever you find during an investigation, pivot off that information to find new leads.
Email investigation process usually depends on the case, but there are common steps to follow. In short, whether you try to guess an email address or have already got one, it's important to verify it still exists and belongs to your target. Once you verified it – get more information using Google or various data enrichment tools.
Let's start from the scenario where you don't have an email, but know the targets' username or name and surname. The company your target works for is also useful to create more accurate assumptions, as corporate addresses usually follow a specific pattern.
Before you create any assumptions, do some research. Try to find out the date of birth or alternative names, as they are often included within the email. Having a name means you can use Behindthename.com and Werelate.org, for example, to explore more email alternatives. To generate email lists use these tools:
- Company profiling: Hunter.io is great at finding corporate email patterns, however it doesn't work on individual accounts. If you are preparing a phishing attack it is important to validate addresses beforehand.
- Online generators: Metricsparrow.com, Analyzeid.com and NAMEINT are great tools to quicky generate assumptions. Definitely a way to go when you don't want to install Python scripts and setup any required dependancies.
- CLI tools: EmailGuesser and Generate_by_real_info.py are simple email generation scripts you can download from Github. In addition, username generators work well for this purpose. Logins-generator, NickGenerator and Namemash.py will do the job. Just add email domains to usernames you have generated. If you feel confident working in the terminal – try Pydictor, it's a powerful hacker dictionary builder.
- Google Spreadsheet. Online services generate simple results and Terminal tools are too advanced to work with? Well, the best of both worlds might be this spreadsheet by Rob Ousbey.
Verify your assumptions
After the previous step you may have generated a huge list of emails. Even if you already had one, it is essential to verify those emails. Tools below will definitely help you out:
- Verifalia – offers real-time email validation, detecting invalid, disposable, and temporary email addresses to improve deliverability and reduce bounce rates.
- Hunter.io email verifier – is a verification service designed to help users verify the validity of email addresses by checking their deliverability and authenticity.
- ZeroBounce – provides 100 free monthly email verifications to help you eliminate invalid, disposable, and temporary email addresses from your list. It also has email scoring and additional data enrichment features.
- NeverBounce – is a bulk email verification and real-time email verification service. It offers a CSV, XLS, XLSX or TXT file upload, which speeds up your research.
Pivot off your findings
Once you've got an email address try to enrich your findings. Use reverse email lookup tools, breaches and password reset techniques to get new leads. You can even start with Google. It's a good place if you are trying to hunt something down. Search engines tend to be the place where I garner the most information. Here are some Google Dork examples, modify them depending on your requirements:
- "target_email@" – search all possible domains.
- "email@example.com" site:facebook.com OR site:twitter.com OR site:instagram.com OR site:linkedin.com – search for email address mentions on social media.
- "firstname.lastname@example.org" site:pastebin.com OR site:pwnedlist.com OR site:haveibeenpwned.com – search within breaches.
- "email@example.com" filetype:pdf OR filetype:doc OR filetype:txt – search email within public documents.
Depending on the location of your target you might be successful in feeding the email to people search engines, like ThatsThem or Spokeo. Because of the loose privacy regulations in the USA, such services are able to yield much more information for Americans than for European people.
Telegram bots may yield very good results for people from the Post-Soviet States (Russia, Belarus, Ukraine, etc.). The most popular bots are Eye of God, Quick OSINT, and UserSearch. These are only a few from a long list of Telegram bots. Be careful interacting with bots, as they also collect information about you. The more sensitive inquiries you do, the better privacy and security measures you should take.
Reverse Email Lookup
Reverse email lookup is the process of searching for information about an email address using various search tools. The most popular tools are described below.
Epieos is a freemium OSINT tool to perform reverse lookup of email address and phone numbers without informing the target. The tool includes following modules: Google, Holehe, Skype, LinkedIn, Nike Run Club, Fitbit, GitHub, Duolingo, Pinterest, Asics Runkeeper, Adidas Runtastic, Strava, Tumblr, Vivino, Facebook, Airbnb, Chess.com, Substack. However, not all of them are accessible with a free account.
The tool is valuable for:
- Rough estimate of location, interests and preferred locations based on Google reviews.
- Finding a LinkedIn account associated with an email address (only for accounts that activated the "Profile discovery using email address" function for everyone).
- Generating visually attractive, easy to read reports.
OSINT Industries provides email and phone number check ups and has up to 200 modules. Every piece of data is fetched in real-time to ensure its accuracy. It even pulls additional data points, like images, map locations, and more. You can download results in JSON format, so they can be easily imported into other tools.
The tool is valuable for:
- Quickly finding social media profiles and other user accounts.
- Generating a comprehensive report about online activity of an individual.
SEON is commonly used to identify fraudsters and other malicious actors. This fraud prevention tool can access more than 50 social and online signals. These checks are based on IP addresses, email addresses, and contact numbers.
Like previously described tools, it shows what social profiles are registered with the email. However, it doesn't provide links to found profiles. It might still show accounts that were registered, but got deleted. For example, it may happen with deleted Github accounts. Or it could be even an account that is not even fully created, but the platform has already collected the user's email address. For instance, it shows Disney+ accounts that didn't even finish the subscription process.
The tool is valuable for:
- Obtaining enriched data based on emails, IPs, and phone numbers.
- Check breach information and check the date of the first breach, which is useful to determine approximate age of the email.
More useful tools
You should not have only one tool in your arsenal. Always use several tools to check what info other may have missed.
- Emailrep.io – an email reputation checker that shows if the address is valid, and any major social media accounts that are tied to it.
- Intel Techniques email tools – a collection of email lookup services that helps to perform email searches faster.
- People Data Labs – a company that provides data enrichment and people search services, which can assist in investigating emails. They have a large database that can be accessed using their API.
- Holehe – checks if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others.
- Browser extensions, like SignalHire, Clearbit Connect, and GetProspect are useful when you are visiting social media profiles and want to get emails. Usually those are used by recruiters and marketers.
Data breaches are a valuable source of information during email investigations. While the fact of the breach itself might not be as important, what’s important is that with the email you might get a list of services that person uses or at least used. Here are some services:
- Haveibeenpwnd – a database of billions of leaked accounts that have been compromised through a data breach.
- Dehashed – another data leak database, but it also provides more search options such as phone number, names, IP address and URLs.
- IntelX – OSINT search engine that collects only public data. It aggregates data breaches, but never takes the role of the first publisher. It also indexes pastes and allows you to search for a domain, CIDR, IP, Bitcoin addresses and more.
- Phonebook.cz – online service owned by the aforementioned IntelX that searches for email addresses in breach data.
Password reset helps to find out what services the target is using and associated phone numbers using "Forgot password" functionality. For example, you may go to Facebook.com and use "Forget password" to check if there is an account registered to that address. This way you can also find the user avatar and do a reverse image search on it.
Using password resets on different websites you will be able guess a big part of the phone number, if not the whole. Martin Vigos described in his article parts of the number different services reveal:
- Leaks first three and last two digits: eBay.
- Leaks first and last four digits: Paypal.
- Leaks first and last two digits: Yahoo.
- Leaks last four digits: Lastpass.
- Leaks last two digits: Google, Facebook, Twitter, Hotmail, Steam.
Analyse username portion
Username portion is the string that comes before the domain name. Sometimes it can reveal name, age, date of birth and other personal information. Let's take email example: "firstname.lastname@example.org". Looking at it, these are some questions you should ask:
- Do numbers in the username portion represent something?
- Does email address content tell me something meaningful?
- What is "haka"? Some things might look meaningless at first, but if you try to Google or ask ChatGPT, you may get pretty good results.
What could "haka_haka94" username potentially mean?
The use of "haka" in the username might indicate a connection or interest in the traditional Māori war dance known as the Haka. This could be a reference to their cultural heritage, a favorite sport or team, or simply an appreciation of the Haka's significance.
The output of ChatGPT gives one more reason to belive the person is potentially from New Zealand, considering it also has ".nz" email domain. The "94" number could be a date of birth, that's what people usually put in the email, but you should always verify your assumptions. To further investigate the username portion you can follow a pretty comprehensive guide below.
Email Header Analysis
Email headers contain technical details that can be used to track the origin of an e-mail, including the sender’s IP address and the route the email takes across a network. This information is important when investigating phishing campaigns and other types of cybercrime. To analyse the email you should:
- Open the email you want to trace.
- Open the email header by clicking "show original", this option is usually hidden under the three-dot menu in amost all email clients.
- Copy email header into the tool of your preference, or use the one from the list below.
- Google Admin Toolbox – analyses email headers for sender information, IP addresses, and routing details, helping them determine the source of an email.
- WhatIsMyIP – a service that provides a variety of tools, including email header analyser. This tool works for an email header extracted from any client.
- Mxtoolbox – web-based tool that parses and provides detailed insights into the headers of email messages, assisting in email troubleshooting, security analysis, and authentication verification.
- Mailheader.org – email header analyzer that provides detailed insights into email headers and shows the map of the email route.
- E-Mail Header Analyzer – a tool written in flask for parsing email headers and converting them to a human readable format. It can identify hop delays, the source of the email and hop country.
- WhatMail – a command-line tool that analyzes the header of an email and provides detailed information about various fields.
- HeadMail – a cross-platform tool developed using Node.js which can help investigators and researchers to analyse email headers to filter out relevant data which can be considered useful during digital investigations.
Done correctly, email research may provide a lot of valuable information. OSINT techniques described above can link social media accounts and find profiles you wouldn't be able to otherwise. You may end up in a lot of dead ends, but don’t give up. Email investigation can be done from different angles: cybersecurity professionals are good at email forensics and can easily analyse email headers. Private investigators prefer to be less technical and utilise Google search. Find the technique that works for you or pick a new one from this guide and learn it. Happy hunting!